A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. Upstream patch: https://github.com/pyca/cryptography/pull/4342/commits/688e0f673bfbf43fa898994326c6877f00ab19ef References: https://bugzilla.redhat.com/show_bug.cgi?id=1602752
The following OpenStack releases ship the vulnerable library. However, OpenStack does not appear to use the GCM mode. Red Hat OpenStack 13 Red Hat OpenStack 14
Created python-cryptography tracking bugs for this issue: Affects: openstack-rdo [bug 1605041]
(In reply to Pedro Yóssis Silva Barbosa from comment #8) > RHEL7.5 ships version 1.7.2-2. Thus it is affected. How come, description says >=1.9.0 and <2.3 ?
Correction: RHEL7.5 ships version 1.7.2-2 and the finalize_with_tag method wasn't implemented in this version. Thus it is NOT affected. I am closing the rhel-7 tracker.
This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Via RHSA-2018:3600 https://access.redhat.com/errata/RHSA-2018:3600